create-agentic-workflow
Pass
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface within the
scaffold_agentic_workflow.pyscript. It generates.agent.mdand.ymlfiles by directly interpolating the 'description' and 'body' of a source skill into the generated instructions and prompts. - Ingestion points: The
scaffold_agentic_workflow.pyscript reads the content of an existingSKILL.mdfile provided via the--skill-diror--plugin-dirarguments. - Boundary markers: The generated
.agent.mdfile uses YAML frontmatter delimiters (---) for the description but does not employ protective delimiters or "ignore embedded instructions" warnings for the main instruction body. - Capability inventory: The generated GitHub Actions workflows grant the agent the ability to use the
@github/copilotCLI with powerful tools includingread,write, andshell. - Sanitization: The script lacks sanitization for the instruction content being copied, which could allow a malicious source skill to embed instructions that are executed by the generated agent in the CI/CD environment.
- [COMMAND_EXECUTION]: Several utility scripts in the
scripts/directory utilize thesubprocessmodule to execute system commands and interact with CLI tools. improve_description.pyandrun_eval.pyexecuteclaude -porcopilot -pcommands.generate_review.pyexecutes thelsofcommand to manage local server ports and usesos.killto terminate existing processes.- [EXTERNAL_DOWNLOADS]: The generated GitHub Actions runner file includes a step to install the
@github/copilotpackage globally vianpm. This is a well-known package from a trusted organization (GitHub). Additionally, documentation patterns likedynamic-specification-fetching.mdsuggest fetching SDK references from official GitHub repositories.
Audit Metadata